What’s bad about it?

What’s bad about it? It gives read access to their entire server, gives access to followers-only and mentioned-only posts, not just public posts.

I don't see what I can do about Mastodon's security issue in #FediBuzz. I was hoping the Mastodon people were using the time to make permissions more fine-grained instead of sabotaging useful services that simply help supporting decentralization.

I have added relay client functionality a year ago, subscribing to many of the other public relays. However, the resulting throughput is at 0.1 posts/s which is really poor compared to the 10 posts/s we get from the public federated timelines. Implementing it was wasted time but it totally validated the client API approach. I wonder why that is still recommended by operators of big servers as they don't seem to bother joining relays at all, otherwise there would be much more traffic.

Please stop telling me "you are doing it wrong." Posing as a person who wants to control a social network has strong Elon vibes. It will make me look into Bluesky and Nostr eventually where firehose feeds are public for everyone.

@Astro we are, of course, always working on ways to improve Mastodon's security & safety posture, this is a continuous process. As mentioned in the original GitHub issue after the streaming API had security increased, the streaming API was never intended as a tool for mass data gathering nor mass data scraping without consent.

The streaming server is not intended for this usage, plain and simple: it's intended for end-users to get quicker updates in the clients that they use.

Right now, what you're doing exposes users to abuse that is invisible to them, but visible to their followers, because you're accessing our content without consent and then broadcasting it to servers we have defederated from.

This is an issue that existing Relays do not create, because they gain consent to access data.

I'm putting in notes as I'm attempting to implement a relay subscription following the Litepub-style.

• Aoderelay
  • Asserting the relay server actor proved problematic as subject as provided by the relay is missing the scheme acct:.
  • It seems the follow and accept sent back from this relay contains your actor uri in the activity object ID.
• yukimochi/Activity-Relay
  • The relay server actor does not contain an outbox (https://github.com/yukimochi/Activity-Relay/issues/102)
  • I am unable to successfully test whether a relay subscription to this software works. relay.toot.io does not respond to my Follow, and relay.intahnet.co.uk is sending Rejects back. Lightly perusing the issue tracker suggests that this relay utilises manual approval.